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Abstract — In this paper we present a new 5-pass 
identification scheme with asymptotic cheating 
probability | based on the syndrome decoding 
problem. Our protocol is related to the Stern 
identification scheme but has a reduced communi- 
cation cost compared to previous code-based zero- 
knowledge schemes, moreover our scheme permits 
to obtain a very low size of public key and secret 
key. The contribution of this paper is twofold, first 
we propose a variation on the Stern authentication 
scheme which permits to decrease asymptotically 
the cheating probability to 1/2 rather than 2/3 
(and very close to 1/2 in practice) but with less 
communication. Our solution is based on deriving 
new challenges from the secret key through cyclic 
shifts of the initial public key syndrome; a new 
proof of soundness for this case is given Secondly 
we propose a new way to deal with hashed commit- 
ments in zero-knowledge schemes based on Stern's 
scheme, so that in terms of communication, on 
the average, only one hash value is sent rather 
than two or three. Overall our new scheme has the 
good features of having a zero-knowledge security 
proof based on well known hard problem of coding 
theory, a small size of secret and public key (a 
few hundred bits), a small calculation complexity, 
for an overall communication cost of 19kb for 
authentication (for a 2 security) and a signature 
of size of 93kb (11.5kB) (for security 2 80 ), an im- 
provement of 40% compared to previous schemes 
based on coding theory. 

Keywords : Zero-knowledge protocols, coding 
theory, Stern SD scheme. 



I. Introduction 

The use of coding theory for public key cryptogra- 
phy was initiated by McEliece more than 30 years 
ago, although the system has often be considered 
as too costly and impractical because of the size 
of the public key, code-based cryptography has re- 
ceived much more attention in recent years. Besides 
the fact that code-based cryptography can possibly 
resist to a quantum computer, code-based systems 
have also inherent interests: they are very fast and 



are usually easy to implement compared to number 
theory based systems. Such features make code-based 
systems good candidates for low-cost cryptography. 

There arc two main types of code-based cryp- 
tosystems: systems with hidden structure like the 
McEliece cryptosystems (analogous to RSA) and 
systems with no hidden structure (analogous to dis- 
crete log -based cryptosystems) like for instance the 
Stern code-based authentication scheme ( |Ste93j ). 
This second type of system is not vulnerable to 
structural attacks which are the main cause of at- 
tacks on McEliece-like cryptosystems. In practice as 
for the Stern scheme, they have not been attacked 
beneath the usual improvement on the attack of the 
underlying hard problem. 

In the case of coding theory the underlying hard 
problem (the Syndrome decoding problem SD) is now 
well studied and considered as very secure. 

Code-based Zero-knowledge authentication 
schemes are very interesting since their security 
is directly related to a hard problem, moreover 
they can be turned into signature schemes through 
the Fiat-Shamir paradigm. Meanwhile there are 
two strong drawbacks for these schemes. The first 
drawback is the size of the public key which can 
attain several hundred thousand bits and the second 
drawback is the size of the communication induced 
by the cheating probability, more than 150kb in 
practice for a 2 80 security level. 

The first drawback was resolved in part by Gaborit 
and Girault |GG07) who proposed to use structured 
matrices like double-circulant matrices (matrices of 
the form (I A) for A a random circulant matrix) 
to reduce the size of the public key to only a few 
hundred bits. The second drawback, the high cost 
of communications, largely remains. In this paper we 

make a step further to obtain a small communication 
cost, our new algorithm, with the same type of 
security than previous algorithm and small size of 



keys, permits to reduce the size of communications 
by 40%. We propose two different improvements, a 
first improvement relies on using the double-circulant 
structure to increase the number of possible chal- 
lenges, and the generic second improvement consists 
in a better use of commitment by compressing them. 
In practice it is now possible to sign for a security 
level of 2 80 with a signature of size 93kb rather than 
155kb, and to get identified for a security level of 
2~ w with 20kb rather than 31kb. 

II. Background on code-based 

AUTHENTICATION SCHEMES 

A. Previous work 

There are severals protocols based on the syn- 
drome decoding problem, we quickly survey the main 
advances in this area The first efficient protocol was 
proposed by Stern |Ste93j : his idea was a new way 
to prove the knowledge of a word with small weight 
and fixed syndrome. The idea consist of revealing 
one of the three statements, the adequate weight 
with a masked syndrome, the adequate syndrome 
with a wrong weight or a way the weight and the 
syndrome can be masked. The 3 challenges structure 
implies a cheating probability equal to 2 /3 instead of 
1/2 for the well known scheme of Fiat-Shamir. The 
Stern protocol is also uncommon by the use of hash 
functions. In |Ste93| Stern presents another protocol 
which aims at reducing the cheating probability to 
1/2 by cutting the challenge step into 2 parts. Indeed, 
adding this challenge in the scheme prevents the 
prover to reveal the third statement and reduce the 
probability close to 1/2. The next improvement was a 
reduction of communication due to Veron in |Ver96j , 
the reduction is due to a different formulation of the 
secret, which decreases the cost of communication 
but increases the size of the key. In [GG07j , Gaborit- 
Girault proposed to use particular compact matrices 
(doubly circulant matrices) in order to obtain a very 
short public matrix. The last improvement appeared 
with the protocol of Cayrel-Veron-El Yousfi where 
the aim was to reduce the cheating probability to 1/2 
as well as in the second protocol of Stern but using 
fields with cardinality higher than 2. Our protocol 
uses the Veron variation that we recall here. 

B. Scheme of Veron 

private key : (e,m) with e of weight w and of 
length n and m a random element of . 
public key : (G, x, w)) with G a random matrix 
of size k x n and x = e + mG. 



1) [Commitment Step] P randomly chooses 
u € F| and a permutation a of 
{1,2,..., n}. Then P sends to V the com- 
mitments ci, C2 and C3 such that : 

ci = h(a); c 2 = h(a((u + m)G))] 

c 3 = h{a(uG + x)); 

2) [Challenge Step] V sends b E {0,1,2} to 
P. 

3) [Answer Step] Three possibilities : 

• if b = : P reveals (u + m) and a. 

• if b = 1 : P reveals cr{(u + m)G) and 
«7(e). 

> if b = 2 : P reveals u and a. 

4) [Verification Step] Three possibilities : 

• if b = : V verifies that C\ , c 2 have 
been honestly computed. 

• if b = 1 : V verifies that c 2 , c 3 
have been honestly computed, and 
wt(a(e)) = w. 

• if b = 2 : V verifies that c\ , C3 have 
been honestly computed. 

Fig. 1. Protocol of Veron 

III. A NEW SCHEME 

We now give more details and a high level overview 
on our two improvements. 

A. High level overview: Increasing the number of 
challenges 

At the difference of the Fiat-Shamir scheme in 
which the cheating probability is 1/2, this probability 
is 2/3 for the Stern protocol. It comes from the fact 
that proving that a prover knows a codeword of small 
weight with a given syndrome, means proving two 
facts: the fact that the syndrome of the secret is valid 
and the fact that the secret has indeed a small weight. 
This situation induces that if one adds a random 
commitment there are always two possibilities for 
cheating among the three cases, notably since the 
attacker knows the syndrome of the secret. 

The small weight of the secret is proved by using 
a permutation and a bitwise XOR which permit 
to retrieve the syndrome thanks to the linearity of 
both operations. In all schemes based on syndrome 
decoding there is a statement of the form : 

<r(e) + v 



Here e is the secret of low weight, a a permutation 
and v a mask. In the Veron scheme v is equal to 
er((it + m)G) which is a good mask for <r(e) with u 
a random word and v is a random word in the Stern 
scheme. The idea described in the scheme of Stern 5 
pass |Ste93j and jCVAlOj is that a variation of e can 
prevent a dependence on v and er. So there is no need 
to test the construction of v and a at the same time 
any more. The cheating probability is now close to 
1/2, indeed there is now only two challenges possible 
for the second query. 

The variation on e can be done in different ways, 
Stern used e as a codeword of a Rced-Mullcr code, 
Cayrel et al. used a scalar multiplication, in our 
case we use a rotation of the two parts of e. Using 
this rotation we can deduce the syndrome of each 
permuted word thanks to the propriety of double 
circulant codes presented here Let H = [I\A], for A 
a circulant matrix of length k and let the syndrome 
s = H.y 1 for y = (2/1,2/2) For r a cyclic shift on n 
positions we obtain: 

s = H ■ (yi,y 2 y O r(s) = H • (r(yi), r(y 2 )Y . 

Our construction therefore leads to 2k possible 
challenges: k coming from the choice of the shift and 
2 possibilities for the second query (compared to 3 in 
the classical case) An attacker can easily cheats for k 
challenges among the 2k possible, and we show that it 
is not possible for an attacker to cheat for more than 
k + i challenges (for i a security parameter) without 
knowing the secret. 

This cyclic permutation point of view is an effi- 
cient way to reduce the cheating probability close 
to 1/2 in a binary scheme and without rising the 
communication cost like it was done in the scheme of 
Stern 5 pass or considering non binary alphabet like 
in Cayrel et al. which also leads to less interesting 
communications 

B. High level overview: Commitments compression 

In Stern's scheme (or Veron's scheme), the prover 
has first to send 3 commitments composed of 3 hash 
of different values: ci,C2 and C3 in Veron's protocol 
(for instance). The sending of these three hashes 
comes at a certain cost. Meanwhile one can remark 
that if the protocol works well, the Verifier retrieves 
2 hash values among the 3 hash values sent. This 
remarks shows that in fact it possible to optimize the 
manipulation of these commitments. The Prover first 
needs to compute the three hash values as usual, but 
then rather than sending the three hash values, he 



sends a hash of the three hash values. After receiving 
the challenge of the Verifier the Prover knows that 
the Verifier is able to recover 2 of the 3 hash values, 
then he answers to the challenge as usual, but also 
adds to his answer the missing hash value. 

In the verification step, if all worked correctly the 
Verifier is able to recover the first commitment (the 
hash of the concatenation of the three hash values 
ci,C2 and C3) through the two hashed values he 
retrieved and the third one in the answer of the 
Verifier. Overall only 2 hash values are sent rather 
than 3. 

This idea can be generalized to the case of se- 
quenced rounds, in that case for each round the 
Prover sends only the missing hash value when the 
two others arc recovered by the Verifier. In that case 
only a general commitment for all the rounds needs 
to be sent: a hash value of the sequence of all hash 
values of the different rounds. This point of view is 
very efficient in particular for signature for which the 
average number of hash values sent per round drops 
from 3 to 1 

Moreover this way of proceeding in secure in the 
random oracle model, since an error in the final hash 
value implies an error in one of the hash of the round 
sequence 

C. Description of the protocol 

We use the same notations and the same keys as 
in the scheme of Veron. 

private key : (e,m) with e of weight w and of 

length n and m a random element of F2 . 

public key : (G, x, w)) with G a random matrix 

of size k x n and x = e + mG. 
For simplicity matter we describe the protocol in 
figure [2] only for the first improvement since the 
second one is generic. 

The verification protocol consists in a reconstruc- 
tion of the hash value committed to the first step of 
the algorithm. In the first case, the first and the third 
hash values can be constructed and in the second case 
it concerns the second and the third hash values. The 
construction of hash value are obvious except C3 in 
the 6 = case using the two answers, the word u 
and the permutation a. We just have to see that 
C3 = a{uG + x r ), with x the public key shifted r 
times. 

IV. Security 

In this section we first prove the ZK security of our 
scheme by using the usual zero-knowledge arguments 
and we also consider practical security. 



1) [First commitment Step] P randomly 
chooses u e ¥ k and a permutation a of 
{1,2,..., n}. Then P sends to V the com- 
mitments ci and C2 such that : 

ci = h(a); c 2 = h(a(uG)); 

2) [First part of the challenge] V sends a 
value < r < k — 1 (number of shifted 
positions) to P. 

3) [Final commitment Step] P build e r = 
Rot r (e) and sends the last part of the 
commitment : 

C3 = h(a(uG + e r )) 

4) [Challenge Step] V sends b g {0, 1} to P. 

5) [Answer Step] Two possibilities : 

• if b = : P reveals (u + m r ) and a. 
« if b = 1 : P reveals a(uG) and cr(e r ) 
where e r ~ Rot r (e). 

6) [Verification Step] Two possibilities : 

> if b — : V verifies that c\ , C3 have 

been honestly computed. 
■ if b = 1 : V verifies that C2 , C3 have 

been honestly computed, and that the 

weight of cr(e r ) is w. 

Fig. 2. New double-circulant protocol 



A. Completeness 

The completeness is clear at the moment that 
we notice that the sending of the prover permit to 
generate the corresponding hash value. It's pretty 
clear when wee see the verification scheme. 

B. Soundness 

We prove here that a malicious prover cannot 
be authenticated with probability much higher than 
We introduce a new parameter i to compute a 
trade-off between the cheating probability, security 
cost and communication cost. The idea of the proof 
is to prove that someone who can anticipate more 
than k + i challenges can also retrieve the secret 
key with a good probability, depending on i. We use 
the verification algorithm of the protocol to obtain 
necessarily conditions for cheating. The end of the 
proof consists in choosing a high enough parameter i 
such that, with a good probability the only solution 
with a good condition is the secret key. 

Theoreme IV. 1 // a prover B is able to be ac- 
cepted by a verifier with a probability upper than 



^r, B can retrieve the secret key of the protocol 
from the public one with a probability greater than, 
1 — 77^r k 1 ( n ) , or find a collision for the hash 
function in polynomial time. 

Sketch of proof : 

Suppose a malicious prover M is able to answer k+i 
challenges. By the pigeonhole principle he is able to 
answer 2i challenges of the form { (r 3 - , b) , 1 < j < i 
and b S {0, 1}}. Rewriting the commitment C3 in 
two differents ways shows that he is able to construct 
a (i+l)-uplet (c, zi, . . . , z{) solution of the following 
problem : 

s rj =c + H-z] (1) 

with wt(zj) = w, s rj the syndrome of the public 
key x shifted by rj positions, c a constant vector and 
1 < 3 < *. 

The next step consists in reducing the solutions of the 
problem ([T]) by increasing the value of the parameter 
i. We use probabilities to evaluate the size of the set 
of solutions and more particularly, the distribution of 
syndrome of words of weight w for a double circulant 
code with adequate length, see |GZ08j . We deduce 
that a random tuple (c, Zi, . . . , Zi) with Zj a word 
of fixed weight w for 1 < j < i satisfies the set of 
equations ((T|) with probability equal to 2 „_^l fTt _ 1 ■ A 
careful probability analysis gives the bound described 
in the theorem. This probability depends on i which 
is the number of conditions. 

Notice that the tuple (0, Zi, . . . , zi) is a solution of 
the equation Q] with Zj equal to the secret key shifted 
by block for 1 < j < i. Since we choose i such that 
the shifted secret key is the unique solution with a 
very strong probability, therefore a malicious prover 
who knows how to answer in k + i cases under 2k 
will be able to retrieve the secret key with a shift by 
block with a very strong probability (in practice the 
probability is chosen up to 1 — 2~ 80 ). 

G Zero-Knowledge 

This part of the proof consists in proving that no 
information can be deduce in polynomial time from 
an execution of the protocol more than the knowledge 
of the public data. The idea is to prove that anyone 
can build a simulator of the protocol in polynomial 
time such that the result of the simulator cannot be 
distinguished from a real execution. 
The simulator is build by anticipation by the chal- 
lenges, for each round it is possible to make a valid 



instance by anticipation of the challenge b only. This 
implies a construction in twice the number of rounds 
of the protocol. 

The case b = can be anticipated by the choice of 
a a random permutation, v a random word, hi = 
hash(a ) and = hash(a (vG + x r )). We notice 
that (v,o~ ) and {u + m r ,cj) are indistinguishable. The 
case 6=1 can be anticipated by the choice of v 
and z such as z is a word of weight w, v = n(uG) 
with 7r a random permutation, u a random word, 
h 2 = hash(v) and h 3 = hash{v + z). We notice that 
(v,z) and {o~{uG),o~{e r )) are indistinguishable. 
The construction's cost of the simulator is negligible 
and does not affect the security parameters. When 
we use the commitment compression improvement 
the proof is different because of the complexity cost 
of anticipation, in this case the construction's cost 
of the simulator is not negligible and it is more in- 
teresting to produce this improvement several times 
instead of one to not affect the security too much. 

D. Practical security of double circulant codes 

At the difference of the original Stern's scheme, 
our protocol is based on decoding a random doublc- 
circulant matrix (SD-DC problem say), this problem 
at the difference of the SD problem, is not proven 
NP-hard (although a result is known on the hardness 
of decoding general quasi-cyclic codes) . Meanwhile in 
our case the problem appears to be hard since : 1) it 
has been proven in jGZ08] that random double circu- 
lant codes rely on the GV bound, 2) it is not known, 
even with very structured codes, how to decode a 
code up to the GV bound in polynomial time and 
at last, 3), in practice, there is no known specialized 
algorithm which can do significantly better (besides a 
small linear factor n) for solving the SD-DC problem. 
The situation is the same than for lattices and ideal 
lattices compared to random lattices. In practice the 
best known algorithm to attack the SD-DC problem 
arc the same than those for the SD problem ( |FS09j ). 

V. Parameters for authentication and 

SIGNATURE 

According to the security constraints for zero- 
knowledge discuss earlier we choose as parameters 
n = 698, k = 349, i = 19, w = 70 for a security in 2 81 
and a probability of cheating in 2~ 16 . 

For a security in 2 100 we choose n = 838, k = 
419, i = 20, w = 86 and for a security in 2 128 we 
have n = 1094, k = 547, i = U,w= 109. 

• For signature, and a probability of cheating in 
2 80 it is sufficient to multiply by 5 the previous 



TABLE I 

"Comparison between ZK scheme for a 2 -16 cheating 
probability" 





Stern 3 


Stern 5 


Rounds 


28 


16 


Matrix size (bits) 


122500 


122500 


Public Id (bits) 


350 


2450 


Secret key (bits) 


700 


4900 


Communication (bits) 


42019 


62272 


Prover's Computation 


2^' Y op. inF 2 


2^ i!K op. inF 2 



Veron 


CVE 


New protocol 


28 


16 


18 


122500 


32768 


350 


700 


512 


700 


1050 


1024 


700 


35486 


31888 


20080 


2="- 'op. inF 2 


2 it> mult. inF 2 56 


2^op. inF 2 



data. Overall our double-circulant scheme permits to 
obtain a signature of length 93kb. 

Remark: it is possible to decrease even more 
the communication cost by using a constant weight 
encoding when sending cr(e r ), the cost is then k 
bits rather than 2k bits, overall it decreases the 
authentication to 17kb and the signature to 79kb, 
but the encoding comes with a complexity price. 

VI. Conclusion 

In this paper we propose a new variation on Stern's 
authentication scheme. Our protocol permits to ob- 
tain a gain of more than 40% compared to previous 
schemes and it is the first code based zero knowledge 
scheme to obtain a signature length of less than 
lOOkb with strong security and small size of keys. 
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